[lvs-users] vip-to-vip connection between two sets of realservers with one director?

Gary Smith gary.smith at holdstead.com
Thu Apr 22 00:33:10 BST 2010


> All,
> 
> 
> Lets say hypothetically I have a director with two vips.  The vips
> represent different services, different areas of responsibility, etc.
> This isn't my actual case, but as an example, they could be a front-end
> web-server and a back-end database server.  But one director for both
> sets of realservers.
> 
> 
> For this simple example, lets say that I currently only have one
> realserver for each virtual-server/vip.
> 
> 
> 
> I'm doing LVS/NAT.  I would like to have the web-server connect to the
> vip representing the database virtual server and have the connection
> work.  I'm also doing an SNAT rule for each virtual server on the
> director to ensure that outbound traffic from the realservers appear to
> come from the vip of the virtualserver.
> 
> It doesn't work of course.  Or I wouldn't be asking - how can I make
> this work?  Ideally, if I could do a PREROUTING SNAT rule, I think I
> could make it work, but iptables says 'no' to that.  I'm wondering if I
> could do some kind of SNAT POSTROUTING rule on the realservers to do
> something special, or if there is a better/different way.


Use different subnets for the different classes of real servers.

Ex:

Data rail: 10.0.1.0/24
Web rail: 10.0.2.0/24

Data server:
	* IP 10.0.1.2/24

Web server:
	* IP 10.0.2.2/24

Director:  
	* IP 10.0.1.1/24
	* IP 10.0.2.1/24
	* VIP 10.0.3.10/24 Data
	* VIP 10.0.3.11/24 Web (or the public IP if ipvs is the firewall as well)

ipvsadm -A t 10.0.3.10:3306 -s wlc
ipvsadm -a t 10.0.3.10:3306 -r 10.0.1.2:3306 -m -we 100
ipvsadm -A t 10.0.3.11:80  -s wlc
ipvsadm -a t 10.0.3.11:80 -r 10.0.2.2:80 -m -we 100


no need to nat/snat at this point.

> 
> 
> As an analog to LVS, I set up for individual realservers and two vips a
> pair of symetric SNAT/DNAT rules for each realserver, and then was able
> to make this work.   I'm not sure where in the packet-processing stream
> for outbound packets LVS picks the packets back up, or if it does at all.
> 
> 
> So, does my question make sense?  I would like realservers for one vip
> to make connections to the vip of another virtual server on the same
> director.  Anyone know how?
> 
> Fred Clift
> 
> 
> --
> Fred Clift
> MCS Team Architect
> 801-437-7471
> Verio, and NTT Communications Company
> 
> 
> 
> This email message is intended for the use of the person to whom it has been
> sent, and may contain information that is confidential or legally protected.
> If you are not the intended recipient or have received this message in error,
> you are not authorized to copy, distribute, or otherwise use this message or
> its attachments. Please notify the sender immediately by return e-mail and
> permanently delete this message and any attachments. Verio, Inc. makes no
> warranty that this email is error or virus free.  Thank you.
> 
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
> 
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users




More information about the lvs-users mailing list